Last fall degree, HFE, and Weil descent attacks on ECDLP

Ming-Deh A. Huang (USC, [email protected]), Michiel Kosters (TL@NTU, [email protected]), Sze Ling Yeo (I2R, [email protected])

Abstract. Weil descent methods have recently been applied to attack the Hidden Field Equation (HFE) public key systems and solve the el- liptic curve discrete logarithm problem (ECDLP) in small characteristic. However the claims of quasi-polynomial time attacks on the HFE sys- tems and the subexponential time algorithm for the ECDLP depend on various heuristic assumptions. In this paper we introduce the notion of the last fall degree of a poly- nomial system, which is independent of choice of a monomial order. We then develop complexity bounds on solving polynomial systems based on this last fall degree. We prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed. For the ECDLP over a finite field of characteristic 2, we provide com- putational evidence that raises doubt on the validity of the first fall de- gree assumption, which was widely adopted in earlier works and which promises sub-exponential algorithms for ECDLP. In addition, we con- struct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These exam- ples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates. These results taken together underscore the importance of rigorously bounding last fall degrees of Weil descent systems, which remains an in- teresting but challenging open problem.

Keywords: HFE · ECDLP · Weil descent · solving equations · first fall degree · last fall degree

1 Introduction

1.1 Zero-dimensional polynomial systems and Weil descent attacks Zero-dimensional multivariate polynomial systems over finite fields arise in many practical areas of interest including in cryptography and coding theory. As such, solving these systems has both practical and theoretical interest. For instance, a major application is in the design of multivariate cryptosystems. One of the earliest proposals for the multivariate cryptosystem was the HFE public-key cryptosystem [21]. In recent years, polynomial solving also arises in elliptic curve cryptography, specifically in the index calculus approach to solve the elliptic curve discrete logarithm problem (ECDLP). Many different approaches had been proposed to solve multivariate polyno- mial equations over finite fields. The most common approach for generic polyno- mial systems is via Gr¨obnerbasis algorithms [1,9,10]. Typically, a Gr¨obnerbasis with respect to the degree reverse lexicographical ordering is first computed via algorithms F4 or F5 [9,10]. It is then converted to a Gr¨obnerbasis with respect to the lexicographical ordering by algorithms such as the FGLM algorithm [11] which contains equations where variables are eliminated. This enables the vari- ables to be solved one at a time. In general, it is very difficult to determine the complexity of the Gr¨obnerbasis algorithm. Various authors have used the term “the degree of regularity” to describe properties of a system that can be used to obtain complexity results. However not all definitions of this term are equivalent. Another approach to solve multivariate polynomial systems is the XL algo- rithm and its variants [2–5,17]. This class of algorithms performs well when the system under consideration is overdetermined, that is, the number of equations far exceeds the number of variables. In this present paper, we first introduce the notion of the last fall degree of a polynomial system over a finite field. Our definition is intrinsic to the polynomial system itself, independent of the choice of a monomial order. With this notion at our disposal, we present an explicit algorithm to find all the roots of a zero- dimensional multivariate polynomial system, bounding the complexity by the last fall degree. When the polynomial systems are over a field of cardinality qn, where q is a prime power and n a positive integer, one can convert this system via Weil descent to a system over its subfield with q elements (see Section 3 for more details). This results in a polynomial system over a smaller field, but at the expense of more variables. For example, Weil descent has been adopted to solve the HFE system as well as the index calculus method for ECDLP. In this paper, we will describe Weil descent systems arising from a polynomial in one variable and study the relations among various polynomial systems. Analogous definitions hold for a multivariate polynomial system.

1.2 The HFE cryptosystem Let k be a finite field of cardinality qn, with subfield k0 of cardinality q. Let f ∈ k[X] be a polynomial over k with a relatively small degree. Using factorization algorithms, one can easily factorize this polynomial to find its roots in k. One can transform this system using Weil descent and two transformations into a system in n variables over k0. At first glance, this system seems to be hard to solve and this is the basis of the Hidden Field Equations (HFE) cryptosystem (see [21] and Subsection 4.1). Computational and heuristic evidence show that such a system is not secure [7,8,16]: the degree of regularity of a Weil descent systemis small and does not depend on n and hence the system can be solved efficiently using Gr¨obnerbasis algorithms. In particular in [16], the authors claimed that the HFE system can be solved efficiently under a heuristic assumption on the

2 complexity of the Gr¨obnerbasis computations to solve the system. More recently, Christophe Petit, in a preprint [22], gives a proof of this observation by doing manipulations using his successive resultant algorithm on the descent side. In this article, we prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve the HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed. 0 0n 0 We have a natural right action of Affn(k ) = k o GLn(k ) on the ring 0 0 0 R = k [Y0,...,Yn−1] by acting as affine change of coordinates. If M ∈ Affn(k ) and g ∈ R0 we write gM for this action. The main theorem is the following, which allows one to solve HFE systems efficiently. We stress that our results hold for a larger class of polynomial systems as we do not require the resulting Weil descent system to be quadratic. For r ∈ Z≥0 and c ∈ Z≥1, we set

ψ(r, c) = max (b2(c − 1) (logc (r) + 1)c, 0) .

Main Theorem 1. Let q be a prime power and let k be a finite field of cardi- nality qn with subfield k0 of cardinality q. Let f ∈ k[X] nonzero which has at 0 0 most e different roots over k and let F = {f}. Let Ff ⊂ k [Y0,...,Yn−1] be a 0 0 Weil descent system of F (Subsection 3.1). Let M ∈ Affn(k ), N ∈ GLn(k ). Define gi, i = 0, . . . , n − 1, by     g0 [f]0M  .   .   .  = N  .  . gn−1 [f]n−1M

q q Set d = max(ψ(deg(f), q), q, e). Then given G = {g0, . . . , gn−1,Y0 −Y0,...,Yn−1− 0 Yn−1} ⊂ k [Y0,...,Yn−1], one can deterministically find all solutions to G in time polynomial in (n + d)d.

If one fixes q and deg(f), then the complexity to solve systems in Main Theorem 1 is polynomial in n. Note that e ≤ deg(f), but usually it is much smaller. Furthermore, in practical applications, one wants e to be small, say bounded by a constant: in this case one can solve the above system in quasi- polynomial time if q is fixed and deg(f) grows like nα. It is an open question whether variants of HFE, such as HFEv-, can be attacked by our approach.

1.3 Polynomial systems from ECDLP

A major application of solving multivariate polynomial equations over a finite field k of cardinality qn is in the relation search step of the index calculus algo- 2 rithm for elliptic curves over the field [6,14,23]. Indeed, let E : y + a1xy + a3 = 3 2 x +a2x +a4x+a6, where a1, a2, a3, a4, a6 ∈ k, be an elliptic curve defined over k. Let P be a point on E and let Q be a point in the cyclic group generated by

3 P . The elliptic curve discrete logarithm problem seeks for an integer a such that Q = aP . The most important step in the index calculus approach is to generate suf- ficiently many relations among suitable points on the elliptic curve E. To this end, summation polynomials provide a way to achieve this (see Subsection 5.1). In particular, this transforms the problem of finding relations among points to solving a system of polynomial equations over k via the summation polynomials. Cryptographic applications of Weil descent were first suggested by Frey [12], and Weil descent attacks were initially applied to elliptic curves of composite degrees over F2 [12, 15]. In [6] and [14], Weil descent was exploited to solve the ECDLP by applying the Weil descent to the summation polynomials over k. In [6], for instance, sub-exponential time estimates via this Weil descent approach were obtained for certain classes of q and n. Here, the author relied on a geometric approach by Rojas to solve a Weil descent system. In [23], Petit et al studied Weil descent systems arising from polynomial sys- tems over fields of characteristic 2. Their results are based on a certain heuristic assumption, called the first fall degree assumption, which asserts that the first fall degree of a polynomial system is close to the degree of regularity. More 2/3 specifically, they obtained a sub-exponential time complexity of 2O(n log n) on the basis of this assumption. In this article, we provide computational evidence that raises doubt on the validity of the first fall degree assumption when applied to elliptic curves over fields of characteristic 2. In addition, we construct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These examples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates.

1.4 Our contributions The contributions of this paper are three-fold.

– First, we introduce the notion of the last fall degree for a finite set of poly- nomials. Intuitively, this last fall degree determines the minimum degree at which operations on the generating polynomials need to be performed for all other polynomials to be generated. Our definition is intrinsic to the gen- erating system and is independent of any monomial order. This allows us to provide an explicit and generic algorithm to find all the zeroes of a zero- dimensional set of polynomials whose time complexity depends on this last fall degree. While our approach may be similar to existing Gr¨obnerbasis algorithms, we stress that we have developed a generic framework that ap- plies to any multivariate zero-dimensional polynomial system with a time complexity dependent on a well-defined parameter. – Second, we prove that the polynomials from the HFE system can be solved in polynomial time if the degree of the defining polynomial and the cardinal- ity of the base field are fixed. Our proof is elementary and complete, without relying on any unproved assumptions or results. We do this by bounding the

4 last fall degree of the zero-dimensional system and then exploit the aforemen- tioned algorithm to solve the system. Besides, our proof works for any uni- variate polynomial f(X) bounded by some degree in contrast to the original HFE system which restricts the monomials in f(X) to be of a certain form. More importantly, our approach can be applied to analyze zero-dimensional polynomial systems of other types (see [20]). – Finally, we consider an important application of solving a zero-dimensional multivariate polynomial system, namely in finding relations for index calcu- lus algorithms to solve the elliptic curve discrete logarithm problem. Here, we revisit the first fall degree assumption adopted in [23] to derive a sub- exponential time estimate to solve the ECDLP. We illustrate two examples which raise some doubts on the correctness of this assumption on Weil de- scent systems arising from summation polynomials. From such examples, we believe that more evidence has to be presented before applying the first fall degree assumption to make complexity claims on the ECDLP.

1.5 Organization of the paper

The rest of this article is organized as follows. We begin in Section 2 by defining a vector space of polynomials obtained with operations within a certain degree starting from a set of polynomials. We then use this set to define the notion of the last fall degree of a polynomial system. With these notions, we present an algorithm to find all the zeros of a zero-dimensional multivariate polynomial system over a finite field. Next in Section 3, we define the notion of a Weil descent system and of a fake Weil descent system arising from a system of univariate polynomials over a field of cardinality qn and we discuss the relations between both systems. This is followed by our attack on the HFE system in Section 4. The main result in this section is Main Theorem 1. In the final section, we provide a brief discussion and some comments on Weil descent attacks on ECDLP.

2 Constructible polynomials

Let k be a field and let R = k[X0,...,Xn−1] be a polynomial ring. Let F be a finite subset of R and let I ⊆ R be the ideal generated by F. We set deg(F) = max(deg(f): f ∈ F).

Definition 1. For i ∈ Z≥0, we let VF,i be the smallest k-vector space of R such that

1. {f ∈ F : deg(f) ≤ i} ⊆ VF,i; 2. if g ∈ VF,i and if h ∈ R with deg(hg) ≤ i, then hg ∈ VF,i.

We set VF,∞ = I. For convenience, we set VF,−1 = ∅. If F is fixed, we often write Vi instead of VF,i.

5 Intuitively, Vi is the largest subset of I which can be constructed from F by doing ideal operations without exceeding degree i. Note that Vi is a finite-dimensional k-vector space of dimension dimk(Vi) ≤ n+i
i i ≤ (n + i) . If F is fixed and g1, g2 ∈ R, then we write g1 ≡i g2 whenever g1 − g2 ∈ Vi. Note that for h1, h2, h3 ∈ R with h1 ≡r h2, one has

h1h3 ≡max(r,deg(h1h3),deg(h2h3)) h2h3.

We write g1 ≡ g2 if g1 − g2 ∈ I.

Definition 2. Let F be a finite subset of R and let I be the ideal generated by F. The minimal c ∈ Z≥0 ∪{∞} such that for all f ∈ I one has f ∈ Vmax(c,deg(f)), is called the last fall degree of F, and is denoted by dF .

A monomial order ≤ on R is called degree refining if for monomials M,N with deg(M) < deg(N), one has M < N.

Lemma 1. The following hold:

1. One has dF ∈ Z≥0. 2. Let B be a Gr¨obnerbasis of I with respect to some degree refining monomial order on R. Then there is an integer c ∈ Z≥0 such that B ⊆ VF,c and one has dF ≤ c.

Proof. Since (1) follows from (2), we will prove (2). Let {g1, . . . , gs} be a Gr¨obner basis of I with respect to some monomial order which refines the degree. Set c to be the minimal i such that gj ∈ Vi for all j. Let f ∈ I. Since B is a Gr¨obner Ps basis of I with respect to a degree refining order, we can write f = i=1 aigi with deg(aigi) ≤ deg(f) for i = 1, . . . , s. Then one easily finds f ∈ Vmax(deg(f),c).

Note that the bound c on dF given in Lemma 1 is constructed with respect to a fixed monomial order. However, the last fall degree dF is intrinsic to the set F and independent of the choice of a monomial order. Let G be obtained from F through an invertible linear transformation of equa- tions. Then one has max(dF , deg(F)) = max(dG, deg(F)). Note that deg(F) = deg(G). Further, since any affine transformation of the variables X0,...,Xm−1 is degree-preserving, the last fall degree is invariant under such transformations. Finally, enlarging the field k does not change the last fall degree.

Remark 1. The name last fall degree has been chosen because there is a similar concept called the first fall degree, which is used to heuristically bound the complexity of Gr¨obnerbasis algorithms, see [23]. The first fall degree of a system F is the smallest d ≥ deg(F) such that there exists gf ∈ R for f ∈ F such that P P d = maxf∈F (deg(gf f)) and deg( f∈F gf f) < d and f∈F gf f 6= 0. An equivalent definition of the last fall degree is the following: dF is the largest c ∈ Z≥0 such that Vc ∩ R≤c−1 6= Vc−1, where R≤c−1 denotes the set of all polynomials in R with degree less than or equal to c − 1. This definition has the

6 same flavour as the definition of the first fall degree. This equivalent definition of the last fall degree allows one to compute the last fall degree if an upper bound, for example from Lemma 1, is known. It would be of great interest to find a direct method for computing the last fall degree.

2.1 An explicit construction of Vi

Next, we describe an algorithm to construct Vi explicitly. Let V be a finite-dimensional k-vector subspace of k[X0,...,Xn−1]. We say P that B is a reduced basis of V if B is a basis of V and for all h = g∈B agg, ag ∈ k, we have deg(h) = maxg∈B deg(agg). For instance, a reduced basis can be constructed if we order the monomials with respect to their degrees and apply linear algebra operations to obtain a basis with different leading monomials. Fix an integer i ≥ 0 and let F = {f1, . . . , fr} ⊂ k[X0,...,Xn−1]. We con- struct Vi inductively as follows. Let W0 be the k-linear span of {fj : j = 1, . . . , r, deg(fj) ≤ i}. By linear algebra operations, construct a reduced basis B0 of W0. For j = 1, 2,..., define Wj = Spank{tg : g ∈ Bj−1, t is a monomial and deg(tg) ≤ i}. Construct a reduced basis Bj of Wj from using linear algebra. Note that Wj contains Wj−1. Since W0 ⊆ W1 ⊆ ... ⊆ Vi, this process must terminate and we conclude that there exists some l such that Wl = Wl+1. We claim that Wl = Vi. Suppose not. Then there must exist some g ∈ Wl and h ∈ k[X0,...,Xn−1] such that gh 6∈ Wl and deg(gh) ≤ i. Let Bl = {g1, . . . , gs} be a reduced basis of Wl. Then one has g = a1g1 + a2g2 + ... + asgs with a1, a2, . . . , as ∈ k. Since Bl is a reduced basis of Wl, maxj(deg(ajgj)) = deg(g). P Hence, gh = j gajgj and maxj(gajgj) ≤ i so that Wl+1 6= Wl. Assume k is a finite field of cardinality q. Since l is bounded by (n + i)i, it follows from the above arguments that one can compute Vi in time polynomial in r, log(q) and (n + i)i. Furthermore, using linear algebra, one can determine if a polynomial f with deg(f) ≤ i lies in Vi with the same time bound.

2.2 Solving a zero-dimensional polynomial system

Consider a system of r multivariate polynomial equations over a field k of car- dinality q, namely, f1 = f2 = ... = fr = 0 in n variables X0,X1,...,Xn−1. Suppose that the algebraic set defined by this system is zero-dimensional, that is, there are finitely many solutions over an algebraic closure k of k. The next proposition gives a generic approach to solve the system via the above construc- tion of Vi.

Proposition 1. Let k be a finite field of cardinality q. Let F ⊂ R be a finite subset and let I be the ideal generated by F. Assume that I is radical and that the system has at most e solutions over k. Set d = max(dF , e). Then one can find all solutions of I in k

– probabilistically in time polynomial in the input size of F, log(q) and (n+d)d;

7 – deterministically in time polynomial in the input size of F, q and (n + d)d.

Proof. First, note that one can factor a polynomial of degree s over k determin- istically in time polynomial in q and s, and probabilistically in time polynomial in log(q) and s [13]. d Compute Vd in time polynomial in the input size of F, log(q) and (n + d) (Subsection 2.1). Assume that all solutions over k of the system are

n (a0,0, . . . , a0,n−1),..., (at,0, . . . , at,n−1) ∈ k with t < e. Since I is a radical ideal, by the Nullstellensatz and Galois theory, one has Y h0 = (X0 − a) ∈ I.

a∈{ai,0: i=0,...,t}

Using linear algebra, one can find h0 as the nonzero polynomial of minimal e degree d0 in Vd ∩ Spank{1,X0,...,X0 }. Factor h0. Assume that a0 is a root of 0 h0 in k. We will find all solutions over k with X0 = a0. Set h0 = h0/(X0 − a0) of degree d0 − 1. By the Nullstellensatz and Galois theory, one has

0 Y h1 = h0 (X1 − a) ∈ I.

a∈{ai,1: i=0,...,t, ai,0=a0}

Using linear algebra, one finds h1 as the polynomial of minimal degree d1 in 0 0 e−d0+1 0 0 Vd ∩ Spank{h0,X1h0,...,X1 h0}. Factor h1/h0 over k. Pick a solution a1 over k and find all solutions with X0 = a0, X1 = a1 using the similar recursive procedure. Hence one can find all solutions over k as required.

Remark 2. See [20] for a comparison between our approach for solving systems, MutantXL and Gr¨obnerbasis algorithms.

3 Weil descent

n Let q be a prime power. Let n ∈ Z≥1 and let k be a finite field of cardinality q with subfield k0 of cardinality q. Let F be a finite subset of k[X]. In this section, 0 we introduce a Weil descent system of F, which is a system in k [Y0,...,Yn−1]. Furthermore, we introduce the fake Weil descent system of F, which is a system in k[X0,...,Xn−1]. The analysis in this section can be easily extended to m variables for any positive integer m (see Remark 3). Let F ⊂ k[X] be a finite set of polynomials. Suppose we want to find the common zeros of these polynomials in k. Let I be the ideal generated by

qn Ff = F ∪ {X − X}.

8 3.1 Weil descent

0 Pn−1 Let α0, . . . , αn−1 be a basis of k/k . Write X = i=0 αiYi and for f ∈ k[X], 0 define [f]j ∈ k [Y0,...,Yn−1] by

n−1 n X X q q f( αjYj) ≡ [f]jαj (mod Y0 − Y0,...,Yn−1 − Yn−1) j=0 j=0

0 where [f]j ∈ k [Y0,...,Yn−1] is chosen of minimal degree, that is, degYi ([f]j) < q. Consider the systems

0 F = {[f]j : f ∈ F, j = 0, . . . , n − 1}

and

0 q Ff = {[f]j : f ∈ F, j = 0, . . . , n − 1} ∪ {Yi − Yi : i = 0, . . . , n − 1}. The latter is called a Weil descent system of F. Notice that the ideal generated 0 0 q by Ff is always a radical ideal, as k [Y0,...,Yn−1]/(Yi − Yi : i = 0, . . . , n − 1) is isomorphic to a product of fields (Chinese remainder theorem). One easily sees 0 0 0 that solutions of F or Ff in k correspond to solutions of F or Ff over k . A different choice of αi merely results in a linear change of the variables Yi and the polynomials [f]i. An interesting choice for the αi is a normal basis, that qi is, a basis with αi = θ for some θ ∈ k.

3.2 Fake Weil descent To study the complexity of solving a Weil descent system, we relate a Weil descent system to another system in k[X0,...,Xn−1], which we refer to as the fake Weil descent system. e0 Let R = k[X0,...,Xn−1]. Let e ∈ Z≥0. Let X be the remainder of division e qn 0 Pn−1 0 j 0 of X by X −X in k[X]. Write e = j=0 ejq in base q with ej ∈ {0, 1, . . . , q− 1}. We set

0 e0 e e0 n−1 X = X0 ··· Xn−1 ∈ R. We extend this definition k-linearly for all polynomials in R. This gives a map ¯: k[X] → R. We set, where by convention Xn = X0,

F = {f : f ∈ F}

and

q q F f = {f : f ∈ F} ∪ {X0 − X1,...,Xn−1 − Xn}.

We let I be the ideal generated by F f . We call F f the fake Weil descent system of F. Note that I is a radical ideal. Indeed the k-algebra morphism

9 q q qn qi R/(X0 − X1,...,Xn−1 − Xn) → k[X0]/(X0 − X0) which sends Xi to X0 is an isomorphism, because it is a surjective morphism on k-vector spaces of the same dimension. The latter ring is isomorphic to kk by the Chinese remainder theorem. In the ring kk all ideals are radical. There is a bijection between the set of solutions of I and those of I over k q qn−1 (or k). If X = a ∈ k is a zero of I, then (X0,...,Xn−1) = (a, a , . . . , a ) is a zero of I. Conversely, if (X0,...,Xn−1) = (a0, . . . , an−1) is a solution of I, then X = a0 is a solution of I. We will now prove a couple of lemmas which will be useful later.

Lemma 2. Let h1, h2 ∈ R, g ∈ k[X]. One has, where ≡i is defined with respect to F f :

1. h + h ≡ h + h ; 1 2 max(deg(h1),deg(h2)) 1 2 2. h · h ≡ h h ; 1 2 deg(h1)+deg(h2) 1 2 n 3. There is h3 ∈ k[X] with deg(h3) < q such that g ≡deg(g) h3.

Proof. One reduces to the case of monomials and the result then follows easily.

qi We have a morphism of k-algebras ϕ : R → k[X] which maps Xi to X . This map has the following properties.

Lemma 3. Let h ∈ k[X]. The following statements hold:

n 1. ϕ(h) ≡ h (mod Xq − X); 2. h ∈ I if and only if h ∈ I.

Proof. 1: Follows directly. qn P 2: Let h ∈ I. We will show h ∈ I. One can write h = b(X −X)+ f∈F af f. Modulo I we find with Lemma 2:

qn X X h = b(X − X) + af f ≡ b(X0 − X0) + af f ≡ 0. f∈F f∈F

Pn−1 q Conversely, let h ∈ k[X] and assume h ∈ I. Write h = j=0 cj(Xj −Xj+1)+ P f∈F bf f. One finds, using 1,

n−1 X q X ϕ(h) = ϕ(cj)ϕ(Xj − Xj+1) + ϕ(bf )ϕ(f) j=0 f∈F qn X qn ≡ ϕ(cn−1)(X − X) + ϕ(bf )f (mod X − X). f∈F

We conclude ϕ(h) ∈ I.

10 3.3 Summary of notation Let us recall some notation we have introduced thus far. Let F ⊂ k[X] be a finite subset, where k is a finite field of cardinality qn and let k0 be its subfield of cardinality q with an implicit choice of basis of k over k0. We let I be the ideal generated by

qn Ff = F ∪ {X − X}.

0 We have systems in k [Y0,...,Yn−1] defined by

0 F = {[f]j : f ∈ F, j = 0, . . . , n − 1} and a Weil descent system

0 q Ff = {[f]j : f ∈ F, j = 0, . . . , n − 1} ∪ {Yi − Yi : i = 0, . . . , n − 1}.

Finally, we have systems in k[X0,...,Xn−1] defined by F = {f : f ∈ F} and the fake Weil descent system

q q F f = {f : f ∈ F} ∪ {X0 − X1,...,Xn−1 − Xn}.

We let I be the ideal generated by F f .

3.4 Relating both types of descent This subsection seeks to connect the last fall degrees of a Weil descent system and the fake Weil descent system presented in Subsection 3.1 and Subsection 3.2. We follow the formulation in [16] which essentially shows that the two systems are linked by suitable transformations. We have the following result. Proposition 2. One has

0 0 max(d 0 , q, deg(F )) ≤ max(d , q, deg(F )). Ff F f Proof (Sketch). We follow [16]. The details can be found in [20]. One has deg(F 0) = deg(F). After a linear change, we may assume that a Weil descent in F 0 is i with respect to a normal basis {θq : i = 0, . . . , n − 1}. Consider the system 0 F ⊆ k[Y0,...,Yn−1], which has the same last fall degree as considered over k0. Using some linear changes of the polynomials and linear changes of vari- ables as in Section 4 of [16], we obtain the system F 00 = {f, f q,..., f qn−1 : f ∈ q q F} ∪ {Y0 − Y1,...,Yn−1 − Yn}. One has 0 0 max(d 0 , q, deg(F )) = max(d 00 , q, deg(F )). Ff F

Note that F ⊆ F 00 and that both sets generate the same ideal (Lemma 2(2)). Hence the result follows.

11 Remark 3. In this section, we have presented a Weil descent system and its re- lated fake Weil descent system corresponding to a polynomial system in one variable X over k. This definition can be easily extended to a system of r poly- nomials in m variables over k such that each variable corresponds to n descent variables. This gives rise to rn polynomials in mn variables and all the results follow accordingly.

4 Solving the HFE system

In this section, our primary goal is to prove that the HFE system and its vari- ants can be solved efficiently by employing the tools we have developed so far. Although such results were shown previously (see for example [16]), their proofs were based on some heuristics. Our proof, on the other hand, is rigorous and free from any unproven conjecture or heuristics. Another claim for a proof can be found in [22]. We begin by reviewing the general description of the HFE system. Through- out this section, k will denote a field of cardinality qn, while k0 will denote its subfield of cardinality q.

4.1 Description of the HFE encryption The HFE public key cryptosystem was first introduced by Patarin [21]. Briefly, let f(X) be a univariate polynomial in k[X] with degree bounded by qt. In practice, the nonconstant monomials in f are chosen to be either of the form i j i Xq +q or Xq for integers i, j ≥ 0. However, we will remove this restriction in this paper and allow f to be an arbitrary polynomial with degree bounded by qt. Let F = {f} ⊂ k[X] and consider the Weil descent system

0 q 0 Ff = {[f]0,..., [f]n−1} ∪ {Yi − Yi : i = 0, . . . , n − 1} ⊆ k [Y0,...,Yn−1] as in Subsection 3.1 with respect to some basis of k/k0. We have a natural 0 0 0 right action of Affn(k ) on R = k [Y0,...,Yn−1] by an affine transformation 0 0 of variables. Let M ∈ Affn(k ). For g ∈ k [Y0,...,Yn−1], we write gM for this 0 action. Let N ∈ GLn(k ). Define     g0 [f]0M  .   .   .  = N  .  . gn−1 [f]n−1M

The public key of the system is the set of equations {g0, g1, . . . , gn−1} ⊂ 0 0 k [Y0,...,Yn−1] while the private key comprises f, the basis choice k/k and the 0n transformations M and N. To encrypt a message, (m0, m1, . . . , mn−1) ∈ k , one computes

(c0, . . . , cn−1) = (g0(m0, . . . , mn−1), . . . , gn−1(m0, . . . , mn−1)).

12 Using the private key and a factorization algorithm, one can find the message efficiently. q Let G = {g0 − c0, . . . , gn−1 − cn−1} ∪ {Yi − Yi : i = 0, 1, . . . , n − 1}. Observe that the message (m0, . . . , mn−1) can be recovered if we can solve G. This can be achieved deterministically via Proposition 1 in time polynomial in q and (n+d)d, where d is bounded by the maximum of the last fall degree of G and the number of solutions e of G. Notice that we are now in the situation of the main theorem (Main Theorem 1) which we now proceed to prove.

4.2 An upper bound on the last fall degree Let q be a prime power and let k be a finite field of cardinality qn. Let F ⊂ k[X] be a finite set. Consider a fake Weil descent system F f to the subfield of P i cardinality q. Define ≡j with respect to F f . For e ∈ Z≥0 with e = i aiq in P P i base q, we set w(e) = i ai. For f = i biX , we set w(f) = max(w(i): bi 6= 0). Note that w(f) ≤ deg(f), with equality if deg(f) < qn. We start with a technical lemma. Recall the following. For r ∈ Z≥0 and c ∈ Z≥1, we set

ψ(r, c) = max (b2(c − 1) (logc (r) + 1)c, 0) . Let g ∈ k[X] \ k. Then one has
deg(g) ≤ (q − 1) logq(deg(g)) + 1 . It follows that deg(g) ≤ ψ(deg(g), q)/2.

Lemma 4. Let h2 ∈ k[X] nonzero of degree d. Set u = ψ(d, q). Assume h2 ≡u 0. Let h1 ∈ k[X]. Let h3 be the remainder of division of h1 by h2. Then one has h1 ≡max(u,w(h1)) h3. Proof. If d = 0, the result follows easily. Assume d > 0. Pd i Fix h2 and write h2 = i=0 biX where bd 6= 0. Since taking remainders is e additive, it suffices to prove the result for h1 = X . Let re be the remainder of e division of X by h2. For g ∈ k[X] with deg(g) ≤ d, one has deg(g) ≤ u/2. In particular, we have deg(re) ≤ u/2. We will prove the following statements successively:

e 1. for e ∈ {0, 1, . . . , qd − 1}, we have X ≡u re; 0 0 e e0 2. if e, e ∈ Z≥0 satisfy w(e) + w(e ) ≤ u, X ≡u re and X ≡u re0 , then e+e0 X ≡u re+e0 ; e 3. for e ∈ Z≥0 with w(e) ≤ u, we have X ≡u re; e 4. for all e ∈ Z≥0 one has X ≡max(u,w(e)) re. 1: For e = 0, . . . , d − 1, the remainder is Xe itself and the result follows. One −1 Pd−1 i d has rd = biX and this gives X ≡u rd. We continue by induction. bd i=0 Assume the statement holds for cases smaller than e and that e ≤ qd − 1. We Pd−1 j will prove the statement for e. Write re−1 = j=0 cjX . Note that re is the

13 Pd−1 remainder of division of Xre−1 by h2, which gives re = j=0 cjrj+1. Note that e − 1 ≤ qd − 2 = qlogq (d)+1 − 2. Hence we have (as d > 0):

e−1
deg(X) + deg(X ) ≤ 1 + b(q − 1) logq(d) + 2 − 1c
= b(q − 1) logq(d) + 2 c ≤ u. Using Lemma 2 and the induction hypothesis, we find

d−1 d−1 e e−1 X j+1 X X ≡u X · X ≡u X · re−1 ≡u cjX ≡u cjrj+1, j=0 j=0 and this gives the required remainder. 2: Assume without loss of generality that w(e0) ≤ u/2. Then one has u ≥ 0 0 max(w(e) + w(e ), deg(re) + w(e ), deg(re) + deg(re0 )) and one has deg(rere0 ) ≤ 2d − 2 ≤ qd − 1. Lemma 2 and 1 give

e+e0 e e0 e0 X ≡u X · X ≡u re · X ≡u re · re0 ≡u rere0 ≡u re+e0 .

3: Using 2 and induction, we easily reduce to the case where e = qi, i ≥ 0. Note that for i ≥ 1, qi = q · qi−1 and that u ≥ q. We can then apply 2 and the proof follows by induction. 4: We prove this statement by induction on w(e) > u. Write e = e1 + e2 with u ≤ w(e1) < w(e), and w(e1) + w(e2) = w(e). One has (Lemma 2 and part 3)

e e1 e2 e2 X ≡max(u,w(e)) X · X ≡max(u,w(e)) re1 · X

≡max(u,w(e)) re1 · re2 ≡max(u,w(e)) re. Proposition 3. Assume F = {f} with f ∈ k[X] nonzero. Set u = ψ(deg(f), q) qn and set g = gcd(f, X − X). Then we have g ∈ Vu.

qn Proof. Let f1 be the remainder of division of X − X by f. By Lemma 4, we have f1 ≡u 0. Let f2 be the remainder of division of f by f1. Similarly, we find f2 ≡u 0. Hence we can follow the Euclidean algorithm and we obtain g ∈ Vu.

4.3 Proof of the main theorem We can finally prove Main Theorem 1.

Proof (of Main Theorem 1). We first study the last fall degree of G. One has (Proposition 2)

0 0 0 d ≤ max(d , q, deg(F )) = max(d 0 , q, deg(F )) ≤ max(d , q, deg(F )). G G Ff F f

qn Hence we study the last fall degree of F f . Set g = gcd(f, X − X). From Proposition 3, we have g ∈ Vu with u = ψ(deg(f), q). Let h ∈ I, the ideal generated by F f . Define the relations ≡i with respect to n F f . By Lemma 2(3), one has h ≡deg(h) h2 for some h2 ∈ k[X] with deg(h2) < q .

14 Since h2 ∈ I, it follows from Lemma 3(2) that h2 ∈ I. Hence h2 has remainder 0 when divided by g. From Lemma 4, we conclude (as deg(h2) ≤ deg(h)),

h ≡max(deg(h),u) h2 ≡max(deg(h),u) 0.

0 This shows dF ≤ u. Hence one finds, as deg(F ) ≤ u, d ≤ max(d , q, deg(F 0)) ≤ max(u, q, deg(F 0)) = max(u, q). G F f Notice that u ≥ q. Apply Proposition 1 to solve the system G in the required time.

5 Weil descent attacks on ECDLP

5.1 ECDLP and summation polynomials Let E be an elliptic curve over a field k of cardinality qn and let k0 be its sub- field of cardinality q. One possible approach to solve the elliptic curve discrete logarithm problem (ECDLP) is via the index calculus method. Essentially, suf- ficiently many relations between k-points on the curve E need to be generated and the time to construct such relations has a direct impact on the complexity of the entire index calculus approach. In [24] and [6], summation polynomials were used to find relations between points on the curve. Here, we recall the definition of a summation polynomial. 5 Let F be a field. Let A = (a1, a2, a3, a4, a6) ∈ F . Set

2 b2 = a1 + 4a2,

b4 = a1a3 + 2a4, 2 b6 = a3 + 4a6, 2 2 2 b8 = a1a6 − a1a3a4 + a2a3 + 4a2a6 − a4. We define

SA,2 = X0 − X1 ∈ F [X0,X1].

We define the third summation polynomial SA,3 ∈ F [X0,X1,X2] of degree 4 by:

2 2 2 2 2 2 2 2 2 SA,3 = (X0 X1 + X0 X2 + X1 X2 ) − 2 · (X0 X1X2 + X0X1 X2 + X0X1X2 )

−b2 · (X0X1X2) − b4 · (X0X1 + X0X2 + X1X2) − b6 · (X0 + X1 + X2) − b8.

We will quite often write SA instead of SA,3. For r ∈ Z>3, we recursively define the rth summation polynomial by

SA,r = ResX (SA,r−1(X0,...,Xr−3,X),SA,3(Xr−2,Xr−1,X)) ∈ F [X0,...,Xr−1], where ResX denotes the resultant with respect to X. We have the following proposition.

15 Proposition 4. Let F be a field and let E/F be an elliptic curve given by Y 2 + 3 2 a1XY + a3Y = X + a2X + a4X + a6. Let r ∈ Z≥2 and let x0, . . . , xr−1 ∈ F . Then there are P0,...,Pr−1 ∈ E(F )\{0} with x(Pi) = xi (i = 0, . . . , r −1) such that P0 + ... + Pr−1 = 0 if and only if S(a1,a2,a3,a4,a6),r(x0, . . . , xr−1) = 0. It follows that given a point Q 6= 0 and a positive integer m, we can represent a point Q as a sum of m points by solving Sm+1(x(Q),X0,...,Xm−1) = 0. Assume that F = k. Further linear constraints were introduced so as to 0 0 restrict the Xi’s to a subspace V of k of dimension n over k . Let L(X) ∈ k[Xq] ⊂ k[X] be the additive polynomial whose roots are precisely the elements of the subspace V . We obtain a system F of equations in k[X0,...,Xm−1], namely,

F = {Sm+1(x(Q),X0,...,Xm−1),L(X0),L(X1),...,L(Xm−1)}.

Using this set-up and Weil descent (Remark 3), Diem showed that there exist sub-exponential time index calculus algorithms for ECDLP for some families of q and n. The authors of [23] adopted a similar approach and considered ECDLP for q = 2n. To solve the system F, they considered a Weil descent system F 0 over 1/3 F2 (notation as in Subsection 3.1). With m = O(n ), the authors claimed that this system can be solved via Gr¨obnerbasis algorithms in sub-exponential 2/3 time of 2O(n log n). Essentially, their claim was based on the so-called “first fall degree assumption” which asserts that the first fall degree (see Remark 1) of a Weil descent polynomial system is close to the degree of regularity, the largest degree reached during Gr¨obnerbasis computations. More precisely, as the first fall degree of this system is O(m2), they conjectured that the degree of regularity is O(m2) as well, thereby giving their heuristic result. According to the authors, they justified this heuristic assumption based on the following:

– The assumption of a constant gap between the first fall degree and the degree of regularity is widely believed to hold for Weil descent systems arising from HFE systems; – The assumption is verified with experimental data for some multivariate polynomial systems for small parameters of n and m.

5.2 Discussion on the first fall degree assumption Here, we wish to highlight some examples where the first fall degree assumption is unlikely to hold.

One bivariate summation polynomial Let k be a finite field of cardinality 2n. Let E/k be a random elliptic curve in Weierstrass form with a random nonzero point Q ∈ E(k). The following table records the degree of regularity for a Weil descent system comprising the bivariate polynomial S3(X0,X1, x(Q)). Following the formulation in [23], we include linear constraints on X0 and X1 to

16 restrict their values to be in a random F2-subspace of k with dimension dn/2e. Note that in this case, a Weil descent system F 0, after eliminating variables using the linear constraints, is a system in about n variables and has about n quadratic 2 equations together with field equations of the form Yi + Yi. We performed our computations using the “GroebnerBasis()” function in the Magma computer Algebra System and the degree of regularity is read off as the largest step degree where new polynomials are generated while the first fall degree is the smallest step degree at which a new lower-degree polynomial is generated. Here, the last column in the table records the degree of regularity of a system of n random quadratic equations in n variables over F2 together with the n field equations. By a quadratic equation over F2, we mean an equation whose terms are a product of at most 2 variables.

n First fall degree Degree of regularity Random 12 2 3 4 16 2 3 5 18 2 4 5 20 2 4 5 24 2 4 6 30 2 4 – 40 2 ≥ 5 –

As the computations require more than 38 GB for n = 40, we are not able to carry out more experiments for larger values of n. However, the behaviour of the step degrees, another observable parameter from the Gr¨obnerbasis computations, suggests that the degree of regularity follows an increasing pattern as n increases. The above table raises doubt to the evidence of Assumption 2 from the article [23]: the gap between the degree of regularity and the first fall degree might be dependent on n.

Remark 4. Notice that our n = 40 computation did not terminate. After the sub- mission of this paper, with the help of the Caramel team from Nancy (France), we managed to terminate similar computations: the degree of regularity does seem to increase. See [19] for the details. This paper also contains a proof that the first fall degree in general is 2.

Note that in all our computations, the first fall degree is 2. One can prove that this is almost always the case when E is ordinary (a1 6= 0) and Q is not the point of order 2. After some mathematics, the result follows from the following proposition where a complete proof can be found in [18, Chapter 7, Proposition 5.4]. The result is partially found in [25] as well.

2 Proposition 5. Let E/k be an elliptic curve given by Y + a1XY + a3Y = 3 2 X + a2X + a4X + a6. Assume that E is ordinary (a1 6= 0). Then we have a surjective group morphism

E(k) → F2

17 0 7→ 0 x(P ) + a  P 7→ Tr 2 k/F2 2 a1 with kernel 2E(k).

Note that knowledge of this map can speed up the summation polynomial ap- proach for solving ECDLP, but probably only by a constant.

Multiple summation polynomials Let k be a finite field of cardinality 2n and let E/k be an elliptic curve. Let Q ∈ E(k) be a nonzero point. Let m ∈ Z≥3. Instead of working with the (m + 1)st summation polynomial, we consider the following sequence of m sums:

Q = P1 + Q1,

Q1 = P2 + Q2, ......

Qm−2 = Pm−1 + Pm.

Observe that when this system is satisfied, we have Q = P1 + ... + Pm. Once again, we let the x-coordinates of Pi be restricted in some subspace of dimension O(n/m). Consider the set

F = {S3(x(Q),X1,Y1),...,S3(Ym−2,Xm−1,Xm)}, where the Xi’s are restricted to the subspace and the Yi are unrestricted. We 0 perform Weil descent to obtain a system F of equations in F2, where each equation has degree at most 3. According to [23], the first fall degree of this system is no greater than 5 (in fact, it is usually 2). Under the first fall degree assumption, this system will have a constant degree of regularity. In particular, it can be solved in time polynomial in m. Now, take m = O(n). Letting the i Pi’s take some specific points, say Pi = 2 P, i = 1, . . . , m, this system will allow us to solve the ECDLP for a large proportion of points Q and thus, for all points Q. Consequently, we have a polynomial-time algorithm to solve ECDLP, which is highly improbable. We conclude that the first fall degree assumption is unlikely to hold for this system as well. In a similar way, using the first fall degree assumption, one can prove P=NP [19].

5.3 Open problem on the last fall degree From the discussion in the preceding subsection, we believe that greater justifica- tion needs to be provided before one applies the first fall degree assumption to a Weil descent system arising from a multivariate polynomial system. Nonetheless, as Table 1 demonstrates, the degree of regularity of a Weil descent system tends to grow more slowly than a random system with the same number of equations

18 and variables. The big question is, how slowly does it grow. The slower it grows, the better algorithms there will be for ECDLP using Gr¨obnerbasis algorithms. As such, we believe that it remains worthwhile to analyze such systems in greater detail in order to get a more rigorous estimate to solve the ECDLP. In this article, we defined the notion of a last fall degree of a multivariate polynomial system and describe an explicit algorithm to solve a zero-dimensional polynomial system whose time complexity depends on this last fall degree. As the last fall degree is independent of monomial orders, it enables us to give a rigorous bound on the time to solve a Weil descent system coming from univariate polynomials. We believe that this framework will be useful to help us investigate Weil descent systems from multivariate polynomials as well and will hopefully allow us to rigorously bound last fall degrees.

Remark 5. After submitting this paper, the authors continued their work in [20], and showed that the last fall degree of a Weil descent system arising from a zero-dimensional system also does not depend on the Weil descent parameter n. Unfortunately, the results of [20] do not apply to summation polynomials, because such systems are not zero-dimensional without adding field equations.

6 Acknowledgements

The authors would like to thank Bagus Santoso, Chaoping Xing and Yun Yang for their help and support in preparing this manuscript. We are grateful to Steven Galbraith and the anonymous reviewers for their valuable comments. Finally, we would like to thank the Caramel team from Nancy (France) for allowing us to use their computers to do experiments.

References

1. Buchberger, B.: Ein Algorithmus zum Auffffinden der Basiselemente des Restk- lassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Univer- sity of Innsbruck (1965) 2. Buchmann, J. A., Ding, J., Mohamed, M. S. E., and Mohamed, W. S. A. E. Mutantxl: Solving multivariate polynomial equations for cryptanaly- sis. In Symmetric Cryptography (Dagstuhl, Germany, 2009), H. Handschuh, S. Lucks, B. Preneel, and P. Rogaway, Eds., no. 09031 in Dagstuhl Seminar Proceedings, Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany. 3. Courtois, N., Klimov, A., Patarin, J., Shamir., A.: Efficient Algorithms for Solv- ing Overdeffined Systems of Multivariate Polynomial Equations. Eurocrypt’00, LNCS 1807, pp. 392-407 (2000) 4. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdeffined Systems of Equations ASIACRYPT’02, LNCS 2501, pp. 267-287 (2002) 5. Courtois, N., Patarin, J.: About the XL Algorithm over GF(2). CT-RSA’03, LNCS 2612, pp. 141-157 (2003) 6. Diem, C.: On the Discrete Logarithm Problem in Elliptic Curves. Compositio Mathematica 147, pp.75-104 (2011)

19 7. Ding, J., and Hodges, T. J.: Inverting HFE Systems is Quasi-polynomial for All Fields. CRYPTO’11, vol. 6841, LNCS, pp. 724–742, (2011) 8. Faug`ere,J.C., and Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gr¨obnerBases. CRYPTO’03, vol. 2729, LNCS pp. 44–60, (2003) 9. Faug`ere,J.C.: A new efficient algorithm for computing Gr¨obnerbases (F4). J. Pure Appl. Algebra, 139, pp. 61-88 (1999) 10. Faug`ere,J.C.: A new efficient algorithm for computing Gr¨obnerbases without reduction to zero F5. Proceedings of ISSAC, ACM Press, pp. 75-83 (2002) 11. Faug`ere,J.C., Gianni, P. M., Lazard, D., Mora, T.: Efficient computation of zero- dimensional gr¨obnerbases by change of ordering. J. Symb. Comput., 16 (4), pp. 329-344 (1993) 12. Galbraith, S.D., Smart, N.P.: A cryptographic application of Weil descent. Pro- ceedings Cryptography and Coding, Springer LNCS 1746, pp 191-200 (1999) 13. von zur Gathen, J., and Panario, D.: Factoring Polynomials over Finite Fields: A Survey. J. Symbolic Comput. 31, 1-2, pp. 3–17, (2001). Computational alge- bra and number theory, (1996) 14. Gaudry, P.: Index Calculus for Abelian Varieties of Small Dimension and the Elliptic Curve Discrete Logarithm Problem. J. Symb. Comput. , 44(12), pp. 1690-1702 (2009) 15. Gaudry, P., Hess F., Smart, N. P.: Constructive and destructive facets of Weil descent on elliptic curves. Journal of Cryptology, 15(1), pp. 19-46 (2002) 16. Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. CRYPTO’06, LNCS 4117, pp. 345-356, Springer (2006) 17. Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem. CRYPTO’99, LNCS 1666, pp. 19-30 (1999) 18. Kosters, M.: Groups and fields in arithmetic. PhD thesis, Universiteit Leiden (2014) 19. Kosters, M., and Yeo, S. L.: Notes on summation polynomials. preprint http: //arxiv.org/abs/1503.08001 (2015). 20. Huang, M-D. A., Kosters, M., Yang, Y., and Yeo, S. L.: On the last fall degree of zero-dimensional Weil descent systems. preprint http://arxiv.org/abs/ 1505.02532 (2015) 21. Patarin, J.: Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two families of asymetric algorithms. Eurocrypt’96, LNCS 1070, pp. 33-46 (1996) 22. Petit, C.: Bounding HFE with SRA. preprint http://www0.cs.ucl.ac.uk/ staff/c.petit/files/SRA_GB.pdf (2013). 23. Petit, C., Quisquater, J.: On Polynomial Systems Arising from a Weil Descent. Asiacrypt’12, LNCS 7658, pp. 451-466 (2012) 24. Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. preprint https://eprint.iacr.org/2004/031.pdf (2004) n 25. Seroussi, G.: Compact Representation of Elliptic Curve Points Over F2 Re- search Contribution to IEEE P1363 (1998)

20